Malicious executables unleashed by unwitting staff have become so much of a threat that enterprises will move to broadly denying PC users the right to download almost anything from the Internet, predicts a report from a security vendor.
The report this week from Hewlett-Packard Co.’s Tipping Point DVLabs, says “the future of personal computing [in organizations] will move toward a default deny model” in which everything not explicitly allowed is forbidden.
Security policies “are going to become more granular, more policy-based,” Dan Holden, the lab’s director, explained in an interview Thursday.
That means some employees may have broader download rights than others – perhaps C-level executives or those in creative jobs like reporters -- but most users will see severe limits.
As an interim measure, the report recommends “strong and comprehensive configuration management” for workstations, servers, firewalls, routes and switches -- including tracking exceptions.
The conclusion comes as the report, an annual list of the top cyber security risks, notes attackers are using more sophisticated techniques than ever to get behind corporate firewalls. The kind of attacks aren’t necessarily increasing – in fact the report notes some have been around for years and going after the same vulnerabilities – but their methods are getting trickier.
The number of attacks from well-known legacy threats continue, the report notes. For example, attacks on Windows XP’s cmdshell using SQL injection dramatically increased in May and June, mainly in China. Older versions of Microsoft SQL Server are vulnerable to this, the report notes. Also, while declining, the Conficker virus continues to show signs of life.
HTTP client and server attacks dramatically increased over the past six months, the report adds.
But what the report authors are most concerned about is the continued targeting of Web-based applications. That’s understandable given that so many business applications run on browsers, and co-author Mike Dausin, DVLabs’ manager of advanced security intelligence admits this isn’t new.
But, he said in an interview, the polished nature of the exploit code is “astounding.”
The report also notes a recent increase in Cross Site Request Forgery (CSRF) vulnerabilities, in which a user executes an action in one application while in a secure Web site such as a bank. The report gives an example a user reading email and clicking on a link at the same time as he is logged into a bank Web site. The link starts an attack that leads to the transfer of money if bank doesn’t validate a transfer request.